Hi all,
uniqid() is producing unique ID for the system which is good for email's
message ID etc. Many users are using uniqid() as secure unique ID which is
very bad thing to do for security.
It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.
My concern is that uniqid() return both safe and unsafe ID which may not be
good. We may better to have new function, perhaps
string safe_uniqid([ing $length=64])
It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars) Since
it does not use hash, it's fast.
We might be better to use hash even if it's a little slow. This
implementation is affected by RNG vulnerabilities directly
The new function name could be anything,
Too many API is not good, but confusing API is not good also.
Any comments? Any good names?
Regards,
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
--
Yasuo Ohgaki
yohgaki@ohgaki.net
string safe_uniqid([ing $length=64])
It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars) Since
it does not use hash, it's fast.Any comments? Any good names?
The documentation for uniqid() is pretty clear about the fact that it's
not cryptographically secure and recomends openssl_random_pseudo_bytes()
as a replacement. Shouldn't we just try to come up with sane default
values for its $length parameter instead of adding yet another new function?
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
There's http://pecl.php.net/package/uuid.
- Martin
string safe_uniqid([ing $length=64])
It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars)
Since
it does not use hash, it's fast.Any comments? Any good names?
The documentation for
uniqid()is pretty clear about the fact that it's
not cryptographically secure and recomendsopenssl_random_pseudo_bytes()
as a replacement. Shouldn't we just try to come up with sane default
values for its $length parameter instead of adding yet another new
function?
I added the warning to the doc recently.
I see codes that uses uniqid() as a source of safe unique id generation
using
hash functions which is not secure in fact.
We are better to provide easy to use safe unique ID generation function to
prevent this kind of usage even if user could do in user land. Writing a
portable one is not simple enough.
string safe_uniqid([ing $length=64])
Sorry, there is typo and option should be descriptive. It should be
string safe_uniqid([int $length_of_returned_unique_id_string=64');
This function is totally different from current uniqid().
I don't like the name. I hope some one think of good name for it.
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
goodfor PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.htmlThere's http://pecl.php.net/package/uuid.
It uses ext2 UUID. Isn' it only available for linux, is it?
It' a LGPL license also. It's not preferred license for core...
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
string safe_uniqid([ing $length=64])
It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars)
Since
it does not use hash, it's fast.Any comments? Any good names?
The documentation for
uniqid()is pretty clear about the fact that it's
not cryptographically secure and recomendsopenssl_random_pseudo_bytes()
as a replacement. Shouldn't we just try to come up with sane default
values for its $length parameter instead of adding yet another new
function?I added the warning to the doc recently.
As far as I remember there was always a note about the non secure
usage uniqid. That's not something new, or am I mistaken?
I see codes that uses
uniqid()as a source of safe unique id generation
using
hash functions which is not secure in fact.
Right, I see many insecure codes out there, even things like
unfiltered input usage. It does mean we can enable default filter per
default, f.e.
We are better to provide easy to use safe unique ID generation function to
prevent this kind of usage even if user could do in user land. Writing a
portable one is not simple enough.
We have one, http://de2.php.net/manual/en/function.openssl-random-pseudo-bytes.php.
It depends on openssl, but it is safe for the cases defined in your
other thread about session. On windows it is even always crypto safe.
string safe_uniqid([ing $length=64])
Besides the question about the need to add another function, I would
not use the word "safe" in any function name :)
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
goodfor PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.htmlThere's http://pecl.php.net/package/uuid.
It uses ext2 UUID. Isn' it only available for linux, is it?
It' a LGPL license also. It's not preferred license for core...
As long as it is not bundled, there is no big deal. And it should not
be lgpl v3, this license is a mess :)
Cheers,
Pierre
@pierrejoye | http://www.libgd.org
On Sun, Feb 2, 2014 at 4:35 PM, Martin Jansen martin@divbyzero.net
wrote:string safe_uniqid([ing $length=64])
It generate ID using good RNG such as /dev/urandom, /dev/arandom for
UNIXes, openssl RNG for Windows when they are available. It does not
use
hash function, but simply convert RNG binary data into text. The same
algorithm that is used for session ID may be used. (Use
hash_bits_per_character=5, since it only contains alphanumeric chars)
Since
it does not use hash, it's fast.Any comments? Any good names?
The documentation for
uniqid()is pretty clear about the fact that it's
not cryptographically secure and recomendsopenssl_random_pseudo_bytes()
as a replacement. Shouldn't we just try to come up with sane default
values for its $length parameter instead of adding yet another new
function?I added the warning to the doc recently.
I see codes that uses
uniqid()as a source of safe unique id generation
using
hash functions which is not secure in fact.We are better to provide easy to use safe unique ID generation function to
prevent this kind of usage even if user could do in user land. Writing a
portable one is not simple enough.string safe_uniqid([ing $length=64])
Sorry, there is typo and option should be descriptive. It should be
string safe_uniqid([int $length_of_returned_unique_id_string=64');
This function is totally different from current
uniqid().
I don't like the name. I hope some one think of good name for it.P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
goodfor PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.htmlThere's http://pecl.php.net/package/uuid.
It uses ext2 UUID. Isn' it only available for linux, is it?
It' a LGPL license also. It's not preferred license for core...
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever
$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010
$data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10
return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));
}
It's really just a representation of random data, whereby 6 bits are used
for the actual format.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
--
Tjerk
Hi Tjerk,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));}
It's really just a representation of random data, whereby 6 bits are used
for the actual format.
I agree.
UUID v4 simply generate random ID and it is good for many purposes.
My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.
Security matters for all applications. Compiling OpenSSL by default would
be nice to have.
Any comments?
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));}
It's really just a representation of random data, whereby 6 bits are used
for the actual format.I agree.
UUID v4 simply generate random ID and it is good for many purposes.My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.Security matters for all applications. Compiling OpenSSL by default would
be nice to have.Any comments?
It seems consensus here is "Not to add new function" and "Improve
documents".
We are better to provide realistic alternative for application developers.
I would like to write a RFC that makes openssl module a module compiled
by default.
Any comments for this?
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi Tjerk,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));}
It's really just a representation of random data, whereby 6 bits are used
for the actual format.I agree.
UUID v4 simply generate random ID and it is good for many purposes.My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.
You could simply choose between php_win32_get_random_bytes() (Windows) or
reading directly from /dev/xrandom. Ultimately you have to be prepared to
supplement the data (partially or fully) with calls to php_rand().
Security matters for all applications. Compiling OpenSSL by default would
be nice to have.Any comments?
--
Yasuo Ohgaki
yohgaki@ohgaki.net
--
Tjerk
Hi Tjerk,
On Mon, Feb 3, 2014 at 1:59 PM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
Hi Tjerk,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data),4));
}It's really just a representation of random data, whereby 6 bits are
used for the actual format.I agree.
UUID v4 simply generate random ID and it is good for many purposes.My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.You could simply choose between
php_win32_get_random_bytes()(Windows)
or reading directly from/dev/xrandom. Ultimately you have to be prepared
to supplement the data (partially or fully) with calls tophp_rand().
Yes. It can be done this way.
I would like to have full UUID implementation as well as other crypt
features of OpenSSL.
I made a RFC for building OpenSSL module by default.
https://wiki.php.net/rfc/build-openssl-by-default
I'll post it in new thread later.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi Tjerk,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters tjerk.meesters@gmail.comwrote:
I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data), 4));}
It's really just a representation of random data, whereby 6 bits are used
for the actual format.I agree.
UUID v4 simply generate random ID and it is good for many purposes.My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.You could simply choose between
php_win32_get_random_bytes()(Windows) or
reading directly from/dev/xrandom. Ultimately you have to be prepared to
supplement the data (partially or fully) with calls tophp_rand().
I cannot agree more, except for the php_rand part, we should avoid it.
Both are more than enough for this purpose. As I wrote earlier, it is
not necessary to have crypto safe RNGs for uuid generations,
definitively not. It would be good not to suddenly overreact for
something that should be better documented :)
Cheers,
Pierre
@pierrejoye | http://www.libgd.org
Hi all,
On Mon, Feb 3, 2014 at 5:59 AM, Tjerk Meesters tjerk.meesters@gmail.com
wrote:Hi Tjerk,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters <
tjerk.meesters@gmail.com>wrote:I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data),4));
}
It's really just a representation of random data, whereby 6 bits are
used
for the actual format.I agree.
UUID v4 simply generate random ID and it is good for many purposes.My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.You could simply choose between
php_win32_get_random_bytes()(Windows)
or
reading directly from/dev/xrandom. Ultimately you have to be prepared
to
supplement the data (partially or fully) with calls tophp_rand().I cannot agree more, except for the php_rand part, we should avoid it.
Both are more than enough for this purpose. As I wrote earlier, it is
not necessary to have crypto safe RNGs for uuid generations,
definitively not. It would be good not to suddenly overreact for
something that should be better documented :)
I think use of RAND is bad idea for creating IVs.
I added E_NOTICE for it.
https://github.com/php/php-src/pull/579/files
E_WARNING might be better.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
On Mon, Feb 3, 2014 at 5:59 AM, Tjerk Meesters tjerk.meesters@gmail.com
wrote:Hi Tjerk,
On Mon, Feb 3, 2014 at 8:55 AM, Tjerk Meesters <
tjerk.meesters@gmail.com>wrote:I think it would be good enough to have only uuid v4:
function uuidv4()
{
$data = openssl_random_pseudo_bytes(16); // or whatever$data[6] = chr(ord($data[6]) & 0x0f | 0x40); // set version to 0010 $data[8] = chr(ord($data[8]) & 0x3f | 0x80); // set bits 6-7 to 10 return vsprintf('%s%s-%s-%s-%s-%s%s%s', str_split(bin2hex($data),4));
}
It's really just a representation of random data, whereby 6 bits are
used
for the actual format.I agree.
UUID v4 simply generate random ID and it is good for many purposes.My concern is portability. OpenSSL(or Mcrypt) is provided as module.
Users tends not to use module functions whenever possible. To address
this issue, OpenSSL could be a module compiled by default.You could simply choose between
php_win32_get_random_bytes()(Windows)
or
reading directly from/dev/xrandom. Ultimately you have to be prepared
to
supplement the data (partially or fully) with calls tophp_rand().I cannot agree more, except for the php_rand part, we should avoid it.
Both are more than enough for this purpose. As I wrote earlier, it is
not necessary to have crypto safe RNGs for uuid generations,
The RFC [1] states v4 is used with truly-random or pseudo-random number
generators; it would be up to us to decide whether LCG is pseudo-random
enough :)
The generated values should be hard to guess, which typically means LCG
would not be suitable. The function (if implemented) could issue a warning
or notice if a preferred RNG could not be used, even though
password_hash() doesn't do this in the same scenario.
The RFC [1] states v4 is used with truly-random or pseudo-random number
generators; it would be up to us to decide whether LCG is pseudo-random
enough :)
Every RNG we use are "pseudo-random enough" :)
However it is important to distinguish crypto safe (f.e. /dev/random
), strong (f.e. urandom), weak (mt_rand) or totally pointless (rand
;), not sure about the working for the last one.
For UUID, strong are good enough. Crypto safe would be a overhead and
could be raise more issues that we try to solve, like over use crypto
safe entropy source way too much.
The generated values should be hard to guess, which typically means LCG
would not be suitable. The function (if implemented) could issue a warning
or notice if a preferred RNG could not be used, even though
password_hash()doesn't do this in the same scenario.
As we are mainly talking about sessions here, it is important to keep
an eye on what is done:
http://lxr.php.net/xref/PHP_5_5/ext/session/session.c#345
as you can see it already relies on good enough RNG on all platforms,
as long as the entropy source and length are set correctly:
http://www.php.net/manual/en/session.configuration.php#ini.session.entropy-file
About uniqid not being safe, that's fine. It is known and now well
documented (afair it was the case before too, at least for the unsafe
part).
Pierre
@pierrejoye | http://www.libgd.org
Hi!
It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.
What's wrong with mcrypt_create_iv() which exists specifically for the
purpose of generating secure random string?
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
There's uuid extension for PHP as far as I can see:
http://ossp-uuid.sourcearchive.com/documentation/1.6.2-1ubuntu2/php_2uuid_8c_source.html
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi Stas,
On Sun, Feb 2, 2014 at 7:33 PM, Stas Malyshev smalyshev@sugarcrm.comwrote:
It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.What's wrong with mcrypt_create_iv() which exists specifically for the
purpose of generating secure random string?
User may use it. IV should be random bytes and it can be used as
secure source for hash. I does almost the same thing that I would
like to do. Issues are
- it does not auto detect RNG and use /dev/random by default
- it does not support /dev/arandom
- it uses php_rand() to create random bytes if source option is not RANDOM
or URANDOM - it is not an available function by default...
1st issue is not a issue actually. I think this is good that it uses
/dev/random by default
even if it may block script. As a crypt module, it should use most secure
source by default. We may improve mcrypt_create_iv() a little by raising
E_NOTICE
error when user set source other than RANDOM or URANDOM, and add ARANDOM
as a source.
Even though mcrypt_create_iv() good enough for it's original purpose, it's
not good as
a general (fool proof) method for generating random bytes as it can block
script execution.
My question is if we should extend uniqid() or add new function that
actually
generates safe ID string. We may add more description to uniqid() page,
mcrypt and
openssl manual page. This is valid option also.
Do you prefer documentation rather than extending uniqid() or new function?
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's
good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.htmlThere's uuid extension for PHP as far as I can see:
http://ossp-uuid.sourcearchive.com/documentation/1.6.2-1ubuntu2/php_2uuid_8c_source.html
Thank you. I didn't know this.
It provides raw API to OSSP UUID. It's sufficient while it may be better
to provide more specific API like PostgreSQL. Like mcrypt and openssl,
it does not provide API that returns the result by single function call.
It would be better if it returns result (UUID string) by a function call.
I hope some one writes such module.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hello!
My personal view is that we need to start to beef up the default PHP
security, and a lot. Kind'a what has been done with the password API, also
needs to be done with a lot of stuff to make it's usage much easier and
much more secure by default.
And although I get the general feeling that PHP 5.6 has low probability of
getting such changes as this, PHP 6 by all indications is around the corner
and stuff like this has to go into it.
My 0.02$
Arvids.
Hi Arvids,
On Mon, Feb 3, 2014 at 7:41 AM, Arvids Godjuks arvids.godjuks@gmail.comwrote:
My personal view is that we need to start to beef up the default PHP
security, and a lot. Kind'a what has been done with the password API, also
needs to be done with a lot of stuff to make it's usage much easier and
much more secure by default.And although I get the general feeling that PHP 5.6 has low probability of
getting such changes as this, PHP 6 by all indications is around the corner
and stuff like this has to go into it.
I would like to do it for escape functions and more sophisticated input
validater,
but it wouldn't happen in 5.6 as you expect.
For the time being, I would like to make features a little stronger,
provide better function for misused function and/or document them more
explicitly.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
What's wrong with mcrypt_create_iv() which exists specifically for the
purpose of generating secure random string?
User may use it. IV should be random bytes and it can be used as
secure source for hash. I does almost the same thing that I would
like to do. Issues are
- it does not auto detect RNG and use /dev/random by default
- it does not support /dev/arandom
- it uses php_rand() to create random bytes if source option is not
RANDOM or URANDOM- it is not an available function by default...
1st issue is not a issue actually. I think this is good that it uses
/dev/random by default
even if it may block script. As a crypt module, it should use most secure
source by default. We may improve mcrypt_create_iv() a little by raising
E_NOTICE
error when user set source other than RANDOM or URANDOM, and add ARANDOM
as a source.Even though mcrypt_create_iv() good enough for it's original purpose, it's
not good as
a general (fool proof) method for generating random bytes as it can block
script execution.
I'm about to write patch improve mcrypt_create_iv(), but there is problem
IV source is defined as enum and user has to specify it as number
typedef enum {
RANDOM = 0,
URANDOM,
RAND
} iv_source;
To maintain compatibility, it would be
typedef enum {
RANDOM = 0,
URANDOM,
RAND,
ARANDOM
} iv_source;
Which seems a little odd to me. Anyway, possible patch would be something
like
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index 89ad83f..98b1848 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -539,7 +539,8 @@ PHP_MINFO_FUNCTION(mcrypt) /* {{{ */
typedef enum {
RANDOM = 0,
URANDOM,
- RAND
- RAND,
- ARANDOM
} iv_source;
/* {{{ proto resource mcrypt_module_open(string cipher, string
cipher_directory, string mode, string mode_directory)
@@ -1387,8 +1388,23 @@ PHP_FUNCTION(mcrypt_create_iv)
}
iv = ecalloc(size + 1, 1);
- if (source == RANDOM || source == URANDOM) {
- switch(source) {
- case RAND:
- source = NULL;
- break;
- case URANDOM:
- source = "/dev/urandom";
- break;
- case ARANDOM:
- source = "/dev/arandom";
- break;
- case RANDOM:
- default:
- source = "/dev/random";
- }
- if (source) {
#if PHP_WIN32
/* random/urandom equivalent on Windows */
BYTE *iv_b = (BYTE *) iv;
@@ -1402,7 +1418,7 @@ PHP_FUNCTION(mcrypt_create_iv)
int fd;
size_t read_bytes = 0;
- fd = open(source == RANDOM ? "/dev/random" : "/dev/urandom", O_RDONLY);
- fd = open(source, O_RDONLY);
if (fd < 0) {
efree(iv);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot open source device");
@@ -1428,6 +1444,7 @@ PHP_FUNCTION(mcrypt_create_iv)
while (size) {
iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
} - php_error_docref(NULL TSRMLS_CC, E_NOTICE, "RAND is not safe");
}
RETURN_STRINGL(iv, n, 0);
}
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
Possible patch for mcrypt_create_iv(). I put it in github.
https://github.com/yohgaki/php-src/compare/PHP-5.6-mcrypt_create_iv
- Add /dev/arandom support
- Raise warning for dangerous usage
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi all,
What's wrong with mcrypt_create_iv() which exists specifically for the
purpose of generating secure random string?
User may use it. IV should be random bytes and it can be used as
secure source for hash. I does almost the same thing that I would
like to do. Issues are
- it does not auto detect RNG and use /dev/random by default
- it does not support /dev/arandom
- it uses php_rand() to create random bytes if source option is not
RANDOM or URANDOM- it is not an available function by default...
1st issue is not a issue actually. I think this is good that it uses
/dev/random by default
even if it may block script. As a crypt module, it should use most secure
source by default. We may improve mcrypt_create_iv() a little by raising
E_NOTICE
error when user set source other than RANDOM or URANDOM, and add ARANDOM
as a source.Even though mcrypt_create_iv() good enough for it's original purpose,
it's not good as
a general (fool proof) method for generating random bytes as it can block
script execution.I'm about to write patch improve mcrypt_create_iv(), but there is problem
IV source is defined as enum and user has to specify it as number
typedef enum {
RANDOM = 0,
URANDOM,
RAND
} iv_source;To maintain compatibility, it would be
typedef enum {
RANDOM = 0,
URANDOM,
RAND,
ARANDOM
} iv_source;Which seems a little odd to me. Anyway, possible patch would be something
likediff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index 89ad83f..98b1848 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -539,7 +539,8 @@ PHP_MINFO_FUNCTION(mcrypt) /* {{{ */
typedef enum {
RANDOM = 0,
URANDOM,
- RAND
- RAND,
- ARANDOM
} iv_source;/* {{{ proto resource mcrypt_module_open(string cipher, string
cipher_directory, string mode, string mode_directory)
@@ -1387,8 +1388,23 @@ PHP_FUNCTION(mcrypt_create_iv)
}iv = ecalloc(size + 1, 1);
- if (source == RANDOM || source == URANDOM) {
- switch(source) {
- case RAND:
- source = NULL;
- break;
- case URANDOM:
- source = "/dev/urandom";
- break;
- case ARANDOM:
- source = "/dev/arandom";
- break;
- case RANDOM:
- default:
- source = "/dev/random";
- }
- if (source) {
#if PHP_WIN32
/* random/urandom equivalent on Windows */
BYTE *iv_b = (BYTE *) iv;
@@ -1402,7 +1418,7 @@ PHP_FUNCTION(mcrypt_create_iv)
int fd;
size_t read_bytes = 0;
- fd = open(source == RANDOM ? "/dev/random" : "/dev/urandom", O_RDONLY);
- fd = open(source, O_RDONLY);
if (fd < 0) {
efree(iv);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot open source
device");
@@ -1428,6 +1444,7 @@ PHP_FUNCTION(mcrypt_create_iv)
while (size) {
iv[--size] = (char) (255.0 * php_rand(TSRMLS_C) / RAND_MAX);
}- php_error_docref(NULL TSRMLS_CC, E_NOTICE, "RAND is not safe");
}
RETURN_STRINGL(iv, n, 0);
}--
Yasuo Ohgaki
yohgaki@ohgaki.net
User may use it. IV should be random bytes and it can be used as
secure source for hash. I does almost the same thing that I would
like to do. Issues are
- it does not auto detect RNG and use /dev/random by default
- it does not support /dev/arandom
- it uses php_rand() to create random bytes if source option is not
RANDOM
or URANDOM- it is not an available function by default...
1st issue is not a issue actually. I think this is good that it uses
/dev/random by default
even if it may block script. As a crypt module, it should use most secure
source by default. We may improve mcrypt_create_iv() a little by raising
E_NOTICE
error when user set source other than RANDOM or URANDOM, and add ARANDOM
as a source.Even though mcrypt_create_iv() good enough for it's original purpose, it's
not good as
a general (fool proof) method for generating random bytes as it can block
script execution.
It is exactly because of of its blocking nature when the entropy source is
not sufficient that it is secure. This is the root difference between
urandom and random (or the likes).
My question is if we should extend
uniqid()or add new function that
actually
generates safe ID string. We may add more description touniqid()page,
mcrypt and
However we really do not crypto safe random bytes for this purpose. urandom
and similar are enough for session hash data or unique id. Non crypto safe
RNGs are not necessary unsafe, only not safe enough for cryptography
related operations, unique IDs is not a cryptography related operation.
Do you prefer documentation rather than extending
uniqid()or new
function?
I think better documentation is a good solution.
Cheers,
Pierre
Hi!
- it does not auto detect RNG and use /dev/random by default
- it does not support /dev/arandom
- it uses php_rand() to create random bytes if source option is not
RANDOM or URANDOM- it is not an available function by default...
It's available if you include the extension, which you should if you
need security. And any support options can be added. Creating entirely
new function because existing function does exactly the same but doesn't
support one option or one specific setting for one use case doesn't
sound right to me.
Even though mcrypt_create_iv() good enough for it's original purpose,
it's not good as
a general (fool proof) method for generating random bytes as it can
block script execution.
If you use strict randomness function. If you use URANDOM, it would
never do it. All depends on your requirements.
My question is if we should extend
uniqid()or add new function that
actually
generates safe ID string. We may add more description touniqid()page,
How mcrypt_create_iv is not safe? It generates a random string, you need
a random string, what's unsafe in it?
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Hi Stas,
On Mon, Feb 3, 2014 at 8:02 AM, Stas Malyshev smalyshev@sugarcrm.comwrote:
My question is if we should extend
uniqid()or add new function that
actually
generates safe ID string. We may add more description touniqid()page,How mcrypt_create_iv is not safe? It generates a random string, you need
a random string, what's unsafe in it?
It's safe as long as users do not use RAND as random source.
There are many use cases that users need secure random string and
there are many mistakes out there. I'm questioning if we should have
easy to use and easy to find function for it or not.
Better documentation is valid option rather than have a function.
Do you suggest documentation as a solution?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi!
Better documentation is valid option rather than have a function.
Do you suggest documentation as a solution?
Yes, I think it's better than creating new function.
--
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227
Yasuo Ohgaki wrote:
P.S. Is anyone working UUID? PostgreSQL is using OSSP's UUID lib, it's good
for PHP.
http://www.postgresql.org/docs/9.2/interactive/uuid-ossp.html
Yasuo ... Stas has pointed out that there are other options, but it's probably
worth flagging an important point here in relation to unique identifiers and
databases. UUID can be something of a millstone, and may not actually be
necessary. Certainly storing a non-optimised UUID can create a bottleneck if
it's structure makes indexing it 'distorted'. Certainly on Firebird the UUID
functions can be selected to produce an better spread of keys when producing the
indexes. However it is still not 'ideal' at creating a unique ID anyway, and
simply using a much more efficient 'SEQUENCE' ( in Firebird these are caller
generators and have recently been updated to BIGINT hence my interest in the
under the hood 64bit stuff elsewhere! ) and combine that with a machine related
unique id if necessary. While MAC address should be unique it can be overridden
and often is to get around MAC related licence limits ... not that we would
condone that.
There is a nice paper on this on the Firebird site, but I can't locate it at the
moment. Don't you just love 'google' as a site search tool :(
--
Lester Caine - G8HFL
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
Hi all,
uniqid()is producing unique ID for the system which is good for email's
message ID etc. Many users are usinguniqid()as secure unique ID which is
very bad thing to do for security.It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.
I have always been of the opinion that function's internal workings
should not be affected by an option like this.
My concern is that
uniqid()return both safe and unsafe ID which may
not be good. We may better to have new function, perhapsstring safe_uniqid([ing $length=64])
Yes, I agree - but we should not make the mistake of calling the
function "safe_" ... firstly because it reminds me of "safe_mode", but
more importantly is that we still can't guarantee it's safe. The
underlaying RNG sources are not under out control.
cheers,
Derick
--
http://derickrethans.nl | http://xdebug.org
Like Xdebug? Consider a donation: http://xdebug.org/donate.php
twitter: @derickr and @xdebug
Posted with an email client that doesn't mangle email: alpine
Hi Derick,
uniqid()is producing unique ID for the system which is good for email's
message ID etc. Many users are usinguniqid()as secure unique ID which
is
very bad thing to do for security.It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.I have always been of the opinion that function's internal workings
should not be affected by an option like this.
To be honest, I don't like it neither :) That's the reason why I did not
write RFC for it.
My concern is that
uniqid()return both safe and unsafe ID which may
not be good. We may better to have new function, perhapsstring safe_uniqid([ing $length=64])
Yes, I agree - but we should not make the mistake of calling the
function "safe_" ... firstly because it reminds me of "safe_mode", but
more importantly is that we still can't guarantee it's safe. The
underlaying RNG sources are not under out control.
I agree. The name is stupid ;)
I would like to have 'default' secure ID generator which we do not have
currently. This is my point.
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
Hi Yasuo,
Hi all,
uniqid()is producing unique ID for the system which is good for email's
message ID etc. Many users are usinguniqid()as secure unique ID which is
very bad thing to do for security.It may be extend to produce safe unique ID
string uniqid(TRUE) - Returns random ID string which is safe to use
security purposes.My concern is that
uniqid()return both safe and unsafe ID which may not be
good. We may better to have new function, perhaps
Mildly off-topic, the function has another outcome aside from any pure
role as a secure ID generator in that it leaks very specific timing
information which could be useful to unfriendly people:
$id = uniqid();
$time = str_split($id, 8);
$sec = hexdec('0x' . $time[0]);
$usec = hexdec('0x' . $time[1]);
echo 'Seconds: ', $sec, PHP_EOL, 'Microseconds: ', $usec, PHP_EOL;
The format is preserved even with additional parameters to the function.
Using the function at all is problematic.
--
Pádraic Brady
http://blog.astrumfutura.com
http://www.survivethedeepend.com
Zend Framework Community Review Team
Zend Framework PHP-FIG Representative